[Pki-devel] testing pki-ca behind apache for ipa
Ade Lee
alee at redhat.com
Mon Aug 15 16:00:29 UTC 2011
Adam,
As you know, I have been testing putting a dogtag CA behind an apache
instance - and using the standard ports to contact the CA. The basic
idea is to let apache handle the client authentication required, and
then to pass the relevant parameters to tomcat using AJP.
What this means is there will be a dogtag.conf file placed
under /etc/httpd/httpd.conf - and this file will contain Location
elements with ProxyPass directives. Some of these (agent pages) will
require client authentication, and some will not.
I had run into an issue with my browser where when switching from
non-client-auth to client-auth, renegotiations were being disallowed.
This is, I strongly suspect due to the fixes in NSS for the MITM issue,
where "unsafe" legacy renegotiations will be disallowed. Attempts to
pass the relevant environment parameters to NSS failed to alter this
result. I'll continue to work with Rob on this.
However, I believe that this problem will not affect the installation/
interaction of IPA with dogtag. Why? Because the ipa-ra-plugin is
using the latest NSS under the covers - which uses the new safe
regotiation protocol.
My initial testing seems to indicate that this is in fact the case.
However, as I have been pulled into fips issues, I was hoping you could
continue the testing. Once we have a working setup, we can worry about
the code changes to pkicreate/pkisilent to do most of the
configuration.
Here is what you need to do:
1. Install ipa with dogtag
2. Stop the CA (service pki-cad stop pki-ca)
3. Modify /etc/pki-ca/server.xml. You need to uncomment the ajp port,
and have it redirect for SSL to the EE port (9444)
4. Modify the web.xml in /var/lib/pki-ca/webapps/ca/WEB-INF/web.xml to
turn off the filtering mechanism. You will see stanzas like the
following for ee, agent and admin ports. Make sure that active is set
to false for all.
<filter>
<filter-name>AgentRequestFilter</filter-name>
<filter-class>com.netscape.cms.servlet.filter.AgentRequestFilter</filter-class>
<init-param>
<param-name>https_port</param-name>
<param-value>9203</param-value>
</init-param>
<init-param>
<param-name>active</param-name>
<param-value>false</param-value>
</init-param>
</filter>
5. Place the attached dogtag.conf file into /etc/httpd/conf.d/
6. restart the ca. (service pki-cad start pki-ca)
We are now ready to do some testing.
1. Modify the ipa-ra-plugin config to point to port 443 instead of 9443
2. Do your IPA cert tests and confirm that it works ok.
3. Try installing a replica. Make sure to pass https://hostname:443
That is - do not leave out the 443 part as the installation code will
not recognize 443 as a default port. Actually, now that I think about
it - there will be more changes needed in the Installation Panel code to
get all this to work. So I'll get to this when I can.
Thanks,
Ade
-------------- next part --------------
#NSS_SSL_ENABLE_RENEGOTIATION 1
ProxyRequests Off
# matches for ee port
<LocationMatch "^/ca/ee/*|^/ca/renewal|^/ca/certbasedenrollment|^/ca/ocsp|^/ca/enrollment|^/ca/profileSubmit|^/ca/cgi-bin/pkiclient.exe">
NSSVerifyClient none
ProxyPassMatch ajp://127.0.0.1:8009/
ProxyPassReverse ajp://127.0.0.1:8009/
</LocationMatch>
# matches for admin port
<LocationMatch "^/ca/admin/*|^/ca/auths|^/ca/acl|^/ca/server|^/ca/caadmin|^/ca/caprofile|^/ca/jobsScheduler|^/ca/capublisher|^/ca/log|^/ca/ug">
NSSVerifyClient none
ProxyPassMatch ajp://127.0.0.1:8009/
ProxyPassReverse ajp://127.0.0.1:8009/
</LocationMatch>
# matches for agent port and eeca port
<LocationMatch "^/ca/agent/*|^/ca/ca/getCertFromRequest|^/ca/ca/GetBySerial|^/ca/ca/connector|/ca/ca/displayCertFromRequest|^/ca/doRevoke|^/ca/eeca/*">
NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
NSSVerifyClient require
ProxyPassMatch ajp://127.0.0.1:8009/
ProxyPassReverse ajp://127.0.0.1:8009/
</LocationMatch>
# static content
<LocationMatch "^/graphics/*">
NSSVerifyClient none
ProxyPassMatch ajp://127.0.0.1:8009/
ProxyPassReverse ajp://127.0.0.1:8009/
</LocationMatch>
More information about the Pki-devel
mailing list